NET201: Networking with Lab 2

Configuring Cisco Switch Security Features

Laboratory Exercise # 1

GRADE

Group No. : ____ Signature

Leader : SURNAME, First Name Middle Initial. ___________________

Members :
SURNAME, First Name Middle Initial. ___________________
SURNAME, First Name Middle Initial. ___________________

Date Performed : Day Month Year

Date Submitted : Day Month Year

Engr. Ricrey E. Marquez, CpE, MSCS

(Lab Instructor)
OBJECTIVES AND MATERIALS

Objectives:

After this laboratory, students should be able to:

1. set up the topology and initialize devices

2. configure basic device settings and verify connectivity, and
3. configure and verify security features on Cisco switch.

Materials:

QUANTITY PART DESCRIPTION

NUMBER
- Working Personal Computer (PC)
1 with Installed Cisco Packet Tracer
Software

Scenario:

It is quite common to lock down access and install strong security features
on PCs and servers. It is important that your network infrastructure devices, such
as switches and routers, are also configured with security features.
In this lab, you will follow some best practices for configuring security
features on LAN switches. You will also configure and verify port security to lock
out any device with a MAC address not recognized by the switch.
PROCEDURES

Task 1. Set Up the Topology and Initialize Devices.

1. Cable the network topology as shown in Figure 1.1 using Packet Tracer network
simulator software,
2. Initialize and reload the router and switch. Note: If configuration files were
previously saved on the router or switch, initialize and reload these devices back
to their default configurations (Reminders: Capture all the outputs since they
part of your data results)
In Router DCE

Router> en
Router# sh run

In Switch DCE

Switch> en
Switch# sh run

Task 2. Configure Basic Device Settings and Verify Connectivity

1. Configure an IP address on PC-DCE (Refer to the Addressing Table for the IP
Address information in Table 1.1.)
2. Configure basic settings on DCE router.
Router> en
Router# hostname DCE_RTR
Router# conf t
Router# hostname DCE_RTR
DCE_RTR(config)# no ip domain-lookup
DCE_RTR(config)# service password-encryption
DCE_RTR(config)# enable secret dce
DCE_RTR(config)# banner motd #This is DCE office, unauthorized
access is strictly prohibited!#
DCE_RTR(config)# line con 0
DCE_RTR(config-line)# password dcesilver
DCE_RTR(config-line)# login
DCE_RTR(config-line)# exit
DCE_RTR(config)# line vty 0 4
DCE_RTR(config-line)# password dcesilver
DCE_RTR(config-line)# login
DCE_RTR(config-line)# exit
DCE_RTR(config)# int g0/0
DCE_RTR(config-if)# ip add 192.168.10.1 255.255.255.0
DCE_RTR(config-if)# no shutdown
DCE_RTR(config-if)# end
 DCE_RTR# copy run start
DCE_RTR# exit

3. Verify your configuration using command show ip interface brief

4. Configure basic settings on DCE switch.
Switch> en
Switch# conf t
Switch(config)# hostname DCE_SW
DCE_SW(config)# no ip domain-lookup
DCE_SW(config)# service password-encryption
DCE_SW (config)# enable secret dce
DCE_SW(config)# banner motd #This is DCE LAN, unauthorized access
is strictly prohibited!#
DCE_SW(config)# line con 0
DCE_SW(config-line)# password dcesilver
DCE_SW(config-line)# login
DCE_SW(config-line)# exit
DCE_SW(config)# line vty 0 15
DCE_SW(config-line)# password dcesilver
DCE_SW(config-line)# login
DCE_SW(config-if)# end
DCE_SW# copy run start

5. Create VLAN 99 on the switch and name it DCE-Students.

DCE_SW(config)# vlan 99
DCE_SW(config-vlan)# name DCE-Students
DCE_SW(config-vlan)# exit
DCE_SW(config)#

6. Configure the VLAN 99 management interface IP address, as shown in the Table

1, and enable the interface.

DCE_SW(config)# int vlan 99

DCE_SW(config-if)# ip add 192.168.10.99 255.255.255.0
DCE_SW(config-if)# no shutdown
DCE_SW(config-if)# end
DCE_SW#

7. Issue the show vlan command on DCE_SW. What is the status of VLAN 99?
________________________________________________________________

8. Issue the show ip interface brief command on DCE_SW. What is the

status and protocol for DCE-Students interface VLAN 99? Why is the protocol
down, even though you issued the no shutdown command for interface VLAN
99?
________________________________________________________________
________________________________________________________________
9. Assign ports F0/1 and F0/2 to VLAN 99 on the switch.

DCE_SW# conf t
DCE_SW(config)# int fa0/1
DCE_SW(config-if)# switchport mode access
DCE_SW(config-if)# switchport access vlan 99
DCE_SW(config-if)# int fa0/2
DCE_SW(config-if)# switchport mode access
DCE_SW(config-if)# switchport access vlan 99
DCE_SW(config-if)# end
DCE_SW# copy run start
DCE_SW#

10. Issue the show ip interface brief command on DCE_SW. What is the
status and protocol showing for interface VLAN 99? Note: There may be a delay
while the port states converge.
________________________________________________________________

11. Verify connectivity between devices.

a. From DCE-PC, ping the default gateway address on DCE_RTR. Were your pings
successful?
________________________________________________________________
b. From DCE-PC, ping the DCE-Students address of DCE_SW. Were your pings
successful?
________________________________________________________________
c. From DEC_SW, ping the default gateway address on DCE_RTR. Were your
pings successful?
________________________________________________________________
d. From DCE-PC, open a web browser and go to http://192.168.10.99. If you are
prompted for a username and password, leave the username blank and use
dcesilver for the password. If you are prompted for a secured connection,
answer No. Were you able to access the web interface on DCE_SW?
________________________________________________________________
e. Close the browser.

Note: The non-secure web interface (HTTP server) on a Cisco 2960 switch is
enabled by default. A common security measure is to disable this service, as
described in Task 3.
Task 3. Configure and Verify Security Features on DCE_SW.

1. Configure general security features on DCE_SW.

a. Change the message of the day (MOTD) banner on DCE_SW to, “Unauthorized
access is strictly prohibited. Violators will be prosecuted to the full extent of
the law.” Then verify the new banner.

b. Issue a show ip interface brief command on DCE_SW. What physical ports

are up?
____________________________________________________________________

c. Shut down all unused physical ports on the switch. Use the interface range
command.

DCE_SW> en
DCE_SW# conf t
DCE_SW(config)# int range fa0/3-24
DCE_SW(config-if-range)# shutdown
DCE_SW(config-if-range)# int range g0/1-2
DCE_SW(config-if-range)# shutdown
DCE_SW(config-if-range)# end
DCE_SW#

d. Issue the show ip interface brief command on DCE_SW. What is the status
of ports Fa0/3 to Fa0/24?
____________________________________________________________________

3. Configure and verify port security on DCE_SW.

a. Record the DCE_RTR G0/0 MAC address. From the DCE_RTR CLI, use the show
interface g0/0 command and record the MAC address of the interface. What is
the MAC address of the DCE_RTR G0/0 interface?
___________________________________________________________________

DCE_RTR> show interface g0/0

b. From the DCE_SW CLI, issue a show mac address-table command from user EXEC
mode. Find the dynamic entries for ports Fa0/1 and Fa0/2. Record them below.
Fa0/1 MAC Address :____________________________________________
Fa0/2 MAC Address :____________________________________________

DCE_SW> show interface fa0/1

DCE_SW> show interface fa0/2
4. Configure basic port security.

a. From the DCE_SW CLI, enter interface configuration mode for the port that connects
to DCE_RTR.

DCE_SW> en
DCE_SW# conf t
DCE_SW(config)# interface fa0/1

b. Shut down the port.

DCE_SW(config-if)# shutdown

c. Enable port security on Fa0/1.

DCE_SW(config-if)# switchport port-security

Note: Entering the switchport port-security command sets the maximum

MAC addresses to 1 and the violation action to shutdown. The switchport
port-security maximum and switchport port-security violation
commands can be used to change the default behavior.

d. Configure a static entry for the MAC address of DCE_RTR G0/0 interface recorded in
step 3a.
DCE_SW(config-if)# switchport port-security mac-address
xxxx.xxxx.xxxx
(xxxx.xxxx.xxxx is the actual MAC address of the router G0/0 interface)

Note: Optionally, you can use the switchport port-security mac-address

sticky command to add all the secure MAC addresses that are dynamically learned
on a port (up to the maximum set) to the switch running configuration.

e. Enable the switch port.

DCE_SW(config-if)# no shutdown
DCE_SW(config-if)# end

4. Verify port security on DCE_SW Fa0/1 by issuing a show port-security

interface command. What is the port status of Fa0/1?
___________________________________________________________________

DCE_SW# show port-security interface fa0/1

5. From DCE_RTR command prompt, ping DCE-PC to verify connectivity.

DCE_RTR> ping 192.168.10.3
6. You will now violate security by changing the MAC address on the router
interface. Enter interface configuration mode for G0/0 and shut it down.
DCE_RTR> en
DCE_RTR# config t
DCE_RTR(config)# interface g0/0 1
DCE_RTR(config-if)# shutdown

7. Configure a new MAC address for the interface, using aaaa.bbbb.cccc as the
address.

DCE_RTR(config-if)# mac-address aaaa.bbbb.cccc

8. If possible, have a console connection open on DCE_SW at the same time that
you do the next two steps. You will eventually see messages displayed on the
console connection to DCE_SW indicating a security violation. Enable the G0/0
interface on DCE_RTR.

DCE_RTR(config-if)# no shutdown

9. From DTE_RTR privileged EXEC mode, ping DCE-PC. Was the ping
successful? Why or why not?
___________________________________________________________________

10. On the switch, verify port security with the following commands.
DCE_SW> en
DCE_SW# show port-security
DCE_SW# show port-security interface fa0/1
DCE_SW# show interface fa0/1
DCE_SW# show port-security address

11. On the DCE router, shut down the G0/0 interface, remove the hard-coded MAC
address from the router, and re-enable the G0/0 interface.
DCE_RTR> en
DCE_RTR# conf t
DCE_RTR(config)# int g0/0
DCE_RTR(config-if)# shutdown
DCE_RTR(config-if)# no mac-address aaaa.bbbb.cccc
DCE_RTR(config-if)# no shutdown
DCE_RTR(config-if)# end
DCE_RTR#

12. From DCE_RTR, ping DCE-PC again at 192.168.10.3. Was the ping successful?
___________________________________________________________________
13. On the switch, issue the show interface fa0/1 command to determine the
cause of ping failure. Record your findings.
DCE_SW> en
DCE_SW# show interface fa0/1

____________________________________________________________

14. Clear the DCE_SW Fa0/1 error disabled status.

DCE_SW> en
DCE_SW# conf t
DCE_SW(config)# int fa0/1
DCE_SW(config-if)# shutdown
DCE_SW(config-if)# no shutdown
DCE_SW(config-if)# end
DCE_SW#

Note: There may be a delay while the port states converge.

15. Issue the show interface Fa0/1 command on DCE_SW to verify Fa0/1 is no
longer in error disabled mode.
DCE_SW# sh int fa0/1

16. From the DCE_RTR command prompt, ping DCE-PC again. The ping should be
successful?
________________________________________________________________

17. Save your Packet Tracer file as NET202 Lab 1 – Group#

NETWORK TOPOLOGY DIAGRAM

Network Address: 192.168.10.0/24

Figure 1.1. Switch Environment Network Diagram

DATA RESULTS

Table 1. Summary of network device interface IP addresses

SUBNET DEFAULT
NETWORK DEVICE INTERFACE IP ADDRESS
ADDRESS GATEWAY
DCE_RTR G0/0 192.168.10.1 255.255.255.0
DCE_SW VLAN 10 192.168.10.99 255.255.255.0 192.168.10.1
DCE-PC NIC 192.168.10.3 255.255.255.0 192.168.10.1

Task 1. Set Up the Topology and Initialize Devices (CLI commands, results, or
answers to some question)

Task 2. Configure Basic Device Settings and Verify Connectivity (CLI

commands, results, or answers to some question)

Task 3. Configure and Verify Security Features on DCE_SW (CLI commands,

results, or answers to some question)
DATA ANALYSIS / OBSERVATIONS

NOTE: Discussion must be based on the data gathered from data results or
observation supported by review of literature with proper reference or author in-
text citation in APA format. Do not copy-paste instead paraphrase it. Data
analysis must be minimum of 2 pages.
QUESTIONS AND ANSWERS

Questions:

1. Why would you enable port security on a switch?

2. Why should unused ports on a switch be disabled?
3. Provide a summary a description of all the switch CLI commands used
in the laboratory exercise in tabular form showing the command
description, and its example.
4. Given the network topology diagram and the assigned interface IP
address presented in Table 2, show and perform basic configuration in
Cisco router (use RIPv1 dynamic routing protocol to advertise network
address of directly connected interfaces) and switches. Also, provide
verification outputs.

Table 2. Summary of network device interface IP addresses

SUBNET DEFAULT
NETWORK DEVICE INTERFACE IP ADDRESS
ADDRESS GATEWAY
CORE_RTR G0/0 192.168.10.1 255.255.255.0
G0/1 192.168.20.1 255.255.255.0
ACCESS_SW1 VLAN 10 192.168.10.10 255.255.255.0 192.168.10.1
VLAN 20 192.168.10.20 255.255.255.0 192.168.10.1
ACCESS_SW2 VLAN 10 192.168.20.10 255.255.255.0 192.168.20.1
VLAN 20 192.168.20.20 255.255.255.0 192.168.20.1
NIC (SW1-
PC1 192.168.10.2 255.255.255.0 192.168.10.1
Fa0/2)
NIC (SW2-
PC2 192.168.10.3 255.255.255.0 192.168.10.1
Fa0/2)
NIC (SW1-
PC3 192.168.20.2 255.255.255.0 192.168.20.1
Fa0/3)
NIC (SW2-
PC4 192.168.20.3 255.255.255.0 192.168.20.1
Fa0/3)

Answers:
CONCLUSION

NOTE: Discussion must be based on the lab objectives supported by review of

literature with proper reference or author in-text citation in APA format. Do not
copy-paste instead paraphrase it. Discuss the implication of findings per
objective (per paragraph). Conclusion must be minimum of 2 pages.
REFERENCES

NOTE: Sample APA format for reference cited only!

Books:

Andreasen, N. C. (2001). Brave new brain: Conquering mental illness in the era
of the genome. Oxford, England: Oxford University Press.

Copstead, L., & Banasik, J. (2005). Pathophysiology (3rd ed.). Philadelphia, PA:
Saunders.

Electronic Books:

Atkin, M. (Reporter). (2008, November 13). Bermagui forest disputed turf. The
Hack Half Hour. Retrieved from http://www.abc.net.au/triplej/hack/notes/

Cooper, D. (2009, March 31). Native ant may stop toad in its tracks. ABC
Science. Retrieved August 15, 2017 from http://www.abc.net.au/science/articles/
2009/03/31/2530686.htm?site=science&topic=latest

Print Journals:

Potente, S., Anderson, C., & Karim, M. (2011). Environmental sun protection and
supportive policies and practices: An audit of outdoor recreational settings in
NSW coastal towns. Health Promotion Journal of Australia, 22, 97-101.

Electronic Journals:

Jackson, D., Firtko, A., & Edenborough, M. (2007). Personal resilience as a

strategy for surviving and thriving in the face of workplace adversity: A literature
review. Journal of Advanced Nursing, 60(1), 1-9. doi:10.1111/j.1365-
2648.2007.04412.x